Third study in series finds support for, but struggles with, increasing regulations and demand for adding more board security expertise
September 28, 2016 (San Francisco) — Bay Dynamics®, a leader in cyber risk analytics, unveiled today the third in a series of reports, all of which examine how boards of directors and IT security professionals prioritize, communicate and reduce cyber risk. The report, titled, “What’s Driving Boards of Directors to Make Cyber Security a Top Priority?” uncovers the specific drivers behind why boards of directors are making cybersecurity a top priority and the challenges they face in reducing cyber risk. In particular, the report found that 46 percent of board members believe compliance regulations help establish stronger security, but nearly 60 percent struggle with meeting increased mandates — a nearly 20 percent jump over the past two years.
The report is based on a nationwide survey, conducted by the third-party research firm Osterman Research, that interviewed 126 board members who are actively serving on boards of enterprises and receive reports about companies’ cybersecurity programs. Some of the additional findings include:
- Chasm Between Intent and Execution — Nearly half of the board members surveyed believe that regulations are “very” sufficient in helping to protect corporate data assets. However, as regulations increase, a growing proportion of companies struggle to satisfy their cybersecurity mandates. Nearly 60 percent expressed that mandates are “somewhat” or “very” difficult to satisfy — a number that has increased by almost 20 percent from 2014 to 2016.
- Knowledge is Power — Three out of five board members believe that one or more of their fellow board members should be a CISO or some other type of cybersecurity expert. The previous survey, “How Boards of Directors Really Feel about Cyber Security Reports,” revealed that more than half of the board members felt they were at a disadvantage as security reporting is too technical. With only one in six board members claiming substantial expertise in understanding the nuances and implications of cybersecurity issues, that power deficiency is driving a 60 percent belief that one or more board members should be a CISO or some other type of cybersecurity expert.
- The Drive to Comply — The previous survey also found that cybersecurity has become the top priority in the boardroom, surpassing other operational risks. This current survey reveals the number one driver of board members making cybersecurity a top priority is complying with regulatory requirements. In the past two years, there has been an 11-fold increase in the number of organizations citing increased regulation from the government as a driver and a similarly dramatic increase from industry bodies. Close behind, with a 10-fold increase, were fears of lawsuits and regulatory penalties. Shockingly, these factors drove more reaction and action than the experience of a breach at their own company.
This report complements two previously released reports in 2016. In addition to “How Boards of Directors Really Feel about Cyber Security Reports,” Bay Dynamics and Osterman Research also published “Reporting to the Board: Where CISOs and The Board are Missing the Mark,” which is based on a survey asking IT and security executives about the challenges they face communicating cyber risk issues to the board.
“This series of reports demonstrates a positive shift in how boards of directors are prioritizing and approaching cyber risk issues,” said Ryan Stolte, co-founder and Chief Technology Officer at Bay Dynamics. “It is clear that boards understand that they are responsible for setting the cyber risk appetite of an organization. This current report shows that board members want to understand and be actively involved in the cyber risk reduction process. That includes making decisions that drive continuous compliance and going a step further by adding a board member with cyber-specific expertise who speaks the same language as the trusted security executives advising them.”
“The survey reveals that boards of directors in larger companies are taking cybersecurity and cyber risk much more seriously than they were just two years ago,” said Michael Osterman, Principal Analyst with Osterman Research. “Board members are increasingly recognizing the critical importance of becoming better educated about cyber-related issues and relying on trusted advisors that can increase their expertise on critical cybersecurity and cyber risk issues.”
- What’s Driving Boards of Directors to Make Cyber Security a Top Priority, September 2016
- How Boards of Directors Really Feel about Cyber Security Reports, June 2016
- Reporting to the Board: Where CISOs and the Board are Missing the Mark, Feb 2016
About Bay Dynamics
Bay Dynamics® is a cyber risk management company that helps enterprises measure, communicate and reduce cyber risk. The company’s flagship analytics software, Risk Fabric®, automates the process of analyzing security information so that it’s traceable, trustworthy and prioritized. The platform makes cyber risk everyone’s business – from employees to line-of-business application owners to the board – and actively engages all parties in measurably reducing it. Bay Dynamics enables some of the world’s largest organizations to understand the state of their cybersecurity posture, including contextual awareness of what their insiders, vendors and bad actors are doing, which is key to effective cyber risk management. For more information, please visit www.baydynamics.com.
Bay Dynamics and Risk Fabric are registered trademarks of Bay Dynamics, Inc. Other trademarks mentioned are the property of their respective owners.